Berlin Regional Court overturns fine of millions against real estate company

With the press release of November 5, 2019, the Berlin Data Protection Commissioner (BlnBDI) had still publicly reported on a fine of €14.5 million imposed on a real estate company for violations of the GDPR. This penalty notice was cancelled by the Berlin Regional Court in a decision dated February 18, 2021 (526 OWi LG) 212 Js-OWi 1/20 (1/20) and the proceedings were discontinued due to an impediment to proceedings.

According to the Regional Court, the penalty notice was issued in a procedure that is not provided for in the Code of Administrative Offenses (OWiG) and is therefore not permissible. The BlnBDI was not aware of this problem at the time of the decision on the fine and took the view that a legal entity could be treated in the same way as a natural person in administrative offence law and fined. According to the decision of the Regional Court, the supervisory authority would have had to establish in the course of the fine proceedings that a management person of the company had unlawfully and culpably committed a criminal or administrative offense. This act could have been attributed to the legal entity in connection with the finding of violation of the duty of supervision. This did not happen in the supervisory authority’s fine proceedings and could not be made up.

The formal requirements for imposing a GDPR fine are hotly disputed in literature and case law. As recently as November 2020, the Bonn Regional Court took a different view and ruled that Art. 83 GDPR constitutes a sufficient legal basis for direct association liability of legal entities (ruling of November 11, 2020 – 29 OWi 1/20)

According to a press release by BlnBDI, the Berlin public prosecutor’s office has filed an appeal against the decision of the Berlin Regional Court. It therefore remains to be seen whether the discontinuation of the proceedings will stand and whether the case will be referred to the ECJ if necessary.

Regardless of the outcome of the proceedings, it can be assumed that the data protection supervisory authorities will not repeat the mistake made by BlnBDI.